Information Security Policy

Purpose

Citizen Mutual protects all digital, financial, and client information to ensure confidentiality, integrity, and availability in line with FATF, UK GDPR, EU GDPR, and UAE data protection laws.

Scope

Applies to all employees, systems, third-party providers, and digital infrastructure including crypto wallets, private keys, and customer data.

Responsibilities

• Board of Directors: Overall security oversight.
• Chief Information Security Officer (CISO): Implements and monitors security controls.
• All Employees: Must follow security protocols and report incidents.

Information Protection

Data classified as Public, Internal, Confidential, or Highly Confidential. Access granted on a need-to-know basis. Multi-Factor Authentication (MFA) and password policies mandatory. Data encrypted in transit and at rest (AES-256 / TLS 1.3). Crypto private keys stored in HSM or cold wallets with multi-signature control.

Cyber & Network Security

Firewalls, DDoS protection, and 24/7 monitoring. Regular vulnerability scans and annual penetration tests. Segregated environments for development and production.

Incident Response

Any breach or suspicious activity must be reported to the CISO immediately. Major incidents reported to regulators within 72 hours. Root cause analysis completed within 7 days.

Data Privacy

Compliance with UK/EU GDPR and UAE PDPL. Client data used only for legitimate banking purposes. Retention period: minimum 5 years, per AML and regulatory requirements.

Third Parties & Vendors

All vendors undergo security due diligence. Contracts include confidentiality and breach-notification clauses.

Business Continuity

Daily backups and annual disaster recovery tests. Critical systems replicated in secure secondary data centers.

Training

All employees receive annual cybersecurity training and phishing awareness testing.

Review

Policy reviewed annually or after any major change in systems or regulations.